Sony Pictures 2011 LulzSec Hack

In late May-early June of 2011, LulzSec, a loose collective of hackers, took credit for stealing massive amounts of data from SonyPictures.com. The collective stole names, passwords, e-mail and home addresses of millions of customers/users.

One potential motive for the hack was said to be retaliation for Sony’s legal action against George Hotz, a hacker who had been responsible for jailbreaking the Sony PlayStation 3. However, LulzSec officially said that the attack was undertaken to highlight Sony’s “disgraceful” security.

Indeed the attack was said to have come from a good old fashioned “SQL Injection” attack …

LulzSec Logo

In a press release the group said: “Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

This was the second massive data breach effecting Sony and massively damaging its brand image after an earlier hack of millions of encrypted credit card numbers (but possibly with weak or badly implemented encryption because later on stolen credit card numbers surfaced) and loads of unencrypted PII.

In the case of the present breach, LulzSec claimed that the 1,000,000 passwords taken were in plain text and that Sony was “asking for it.”

Interesting Facts:

During the height of the scandal, LuzlSec posted on its Twitter account barbs at Sony calling them “silly Sony” and “You Sony morons.”

LulzSec stands for “lulz” for laughs and “security.”

LulSec member “Sabu” (Hecto Xavier Monsegure) was eventually arrested by federal authorities, and in 2001 became an informant. He provided key information leading to the arrest of several other “hacktivists” associated with Anonymous, LulzSec and Antisec.